Time sure flies, especially when it comes to rules and regulations you will have to abide and think that you have all the time in the world for preparation while that is not the case in any professional or personal sense. The GDPR (General Data Protection Regulation) which will become binding as of 25th May 2018 repealing the current 95/46/EC is no exception and it has long been deserving attention with all the preparation, repercussions and opportunities. In this humble entry to this (deservedly) hot discussion the aim is to represent at least a bird eye view of the issues, questions and prerequisites to take above the radar.

First of all, the GDPR raises a lot of issues disseminating through the agendas of each and every related party via diverse topics of which a bunch is to be listed here:

•  

  As a general regulation its name is telling above implication, the GDPR aims to harmonise the data protection rule sets across Europe, in the absence of such positively entangling document of grand scale. At this very juncture, it is very important to be ready to face the probable challenges likely to be encountered thus empower a good old function of corporate bureaucracy; compliance.

•  

  Just like EC developing into EU, maybe it is time to welcome the next big thing; “Digital Common Market?” There are no state borders or trade tariffs in the virtual world. This concrete reality of the virtual sphere necessitates novel approaches to almost every business function; from marketing to executive decision making processes, from audit/risk management to buying/purchase units. The GDPR is already a paradigm defining document hence alignment of certain business functions to it will be a considerable challenge for any related entity.

•  

  Speaking of a new/digital single market, it is also imperative to state that physical nonexistence of borders does not necessarily mean the total absence of control: Now we have new check points where (sort of) customs officers stand on the firm ground of GDPR; namely, DPOs (Data Protection Officers.) The DPOs are to constitute a new kind of digital nomenclature just in between laws/regulations and digital/virtual data platforms-networks.

•  

  Where there is responsibility and division of labour it is sure to encounter accountability issues. Documentation and disclosure issues for data controllers seem to arise out of the new regulation’s implementation.

•  

  The GDPR defines direct data processor obligations thus this feature will have a considerable impact on major decision making processes. Moreover, data breach notification requirements of the GDPR (building on local/national regulations such as UK ICO’s expectation of being informed about “serious” breaches) will add to the weight on the shoulders of the professionals who in this or that way “touch” data.

•  

  And the moment of truth; fines! It is no secret that Board attention is already on this very feature of the GDPR as it should be. How cannot it be so? Just to give an idea; specified infringements would attract a fine figure (no puns intended!) of up to the higher of 2% of annual worldwide turnover and EUR 10 Million.

•  

  Every holistic/grand scale regulation comes with its institution and GDPR is no exception; now we have EDPB (European Data Protection Board.) EDPB replaces (or more accurately extends) Article 29 Working Party and it openly envisages/encourages BCRs (Binding Corporate Standards) to be developed. It is not an exaggeration to claim that a novel set of “golden rules” will emerge from this incentive as generally accepted data protection rules, like GAAP or IPPF.

•  

  Last but not the least; a new chapter is opened under the covenant of untouchable human rights, rather than a temporary attachment, which is entitled data subjects’ rights. There are a myriad of data subjects’ rights but just to give a glimpse of it; e.g.;

•  

  Right to require/acquire information,

•  

  Right to access data in certain circumstances,

•  

  Right to object their personal data being processed,

•  

  Right to apply for correction of data which is wrong,

•  

  Even right to be “forgotten” (anyone remembering Google vs. Spain?)

Before concluding with the prerequisites to be satisfied prior to GDPR, let us be angel’s advocate and pose some burning questions so as to make assessment of our very own awareness level per se:

•  

  What are the new obligations brought by the GDPR that is to be applied within the organisation?

•  

  What differences/empty spots exist between the existing and future compliance standards?

•  

  What changes are to be made to achieve compliance with the GDPR?

•  

  What timetable is to be envisaged; is there an agenda/schedule?

•  

  Which order of priority; have the items/obligations been prioritized?

•  

  What costs should organizations expect; is there a budget?

To sum up, the GDPR is here and there is nothing to fear, provided that the issues below and similar ones are taken above the radar and emphasized with utmost care and diligence, as the new digital era and the data themselves deserve:

•  

  Get ready for probable data security breaches and have a respective toolkit,

•  

  Build a framework for accountability; make sure everybody is responsible from some aspect and there is no blank space left,

•  

  Design in a way embracing privacy,

•  

  Memorize/imbibe the legal context in which you use personal data,

•  

  Beware of stepping on data subjects’ rights while protecting the data,

•  

  Make data transfer subject to double checks and controls.